Security is Simple as 1, 2, 3

Keeping an organization’s IT assets secure in this day and age is a challenge.  The sands of the information security landscape are constantly shifting, and it can be difficult for practitioners to find solid footing; to identify those initiatives that will net the greatest return on security spend.  Each day seems to bring another emerging concern in the threat landscape.  The organization itself often seems to work against us, wanting to expand our already too-broad attack surface by embracing new technologies, connecting with partners, or acquiring other businesses entirely. 

In such a climate it can be easy to allow our attention to be drawn to the expanding edge or our environment and the newest threats to be found there.  Advanced Persistent Threats (APT), supply chain risks, and cloud/container platform issues, to name a few, are more recent additions to our list of concerns.  And let’s be honest, as technologists we are drawn to the new, the novel, the esoteric – because it is interesting.  While there are real risks to be addressed here, they may not represent the greatest area of exposure for your users and information assets or the best ROI. 

Over the past four years of performing research for monthly threat briefings there are three themes that constantly arise which, if mastered, can greatly reduce the information security risk to the enterprise.  These are:

1. Keep systems and software components up to date.  This includes regular patching as well as upgrading platforms when they are no longer supported.  Two key components of a success patching program are making sure that all devices in the environment are (1) identified and (2) under management.
2. Enforce the principle of least privilege.  User accounts, applications, service accounts and network resource permissions must all be taken into account and kept up to date.  The use of segmentation and micro-segmentation strategies are an excellent additional layer of control to apply. 
3. Constantly train users on security culture and safe computing practices.  User training and awareness cannot be limited to phishing emails or social engineering alone.  Topics should include physical security related issues (locking doors, desks, and cabinets), challenging strangers for credentials when appropriate, responsible data distribution practices and how to report suspected oversights.  Ultimately this must be a paradigm shift; an exercise in building an organizational culture that emphasizes security and the priority of reporting suspected indicators of incidents in a consequence-free climate.

Often, the root cause of a security incident can be traced back to failures associated with one or more of these three points rather than some fringe security exposure.  Environments are dynamic, and it is unlikely we can ever be certain that we have 100% coverage for any security practice or solution we put in place; especially over time.   As a result, when asked by customers what they should be focusing on, I always recommend they consider these practices critical, foundational elements of their security program and work to validate and improve upon the effectiveness of these capabilities on an ongoing basis.   

The truth is that such core security practices not particularly interesting and focusing on the fringe of the threat landscape is far more appealing.  The idea that we are on the front lines, in a fight against cybercrime syndicates and cabals of foreign intelligence agents, can add a certain mystique to the information security role.  As though we are a combination of Elliot Ness and James Bond ready to win the day. 

The trick is not to under-invest resources in those often-mundane components of the security program while we look to the horizon.  Perhaps a better role model for the information security function is Wall-E; the trash-compacting protagonist who spends his days cleaning up the mess and trying to put things in order despite the overwhelming scope of the problem.   While not as dashing a self-portrait, Wall-E accomplished something that James Bond never did: he introduced new concepts to people, driving awareness, which ultimately invoked a widespread and long-term cultural change for the better.  And that is a pretty good day’s work.